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We consider the collective eavesdropping of the BB84 and six-state protocols. Since these protocols 
are symmetric in the eigenstates of conjugate bases, we consider collective attacks having the same 
kind of symmetry. We then show how these symmetric collective attacks are sufficiently strong in 
order to minimize the Devetak- Winter rates. In fact, it is quite easy to construct simple examples 
able to reach the unconditionally- secure key-rates of these protocols. 
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O I- INTRODUCTION 
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Recently, Renner [l[ has shown how to reduce quantum key distribution (QKD) to the cryptoanalysis of collective 
Oh' attacks. This is possible by turning an arbitrary QKD protocol into a permutation invariant one, where Alice and Bob 
publicly agree on a random permutation which they use to reorder their classical values just at the end of the quantum 
communication and before any other classical processing of the data Thanks to this permutation invariance, a 
finite quantum de Finetti theorem Q can be applied to the cryptographic scenario and, therefore, the most general 
coherent attack can be approximated by a mixture of collective attacks. As a consequence, a bound on the key-rate 
for all the possible collective attacks becomes automatically a bound for the most general attacks allowed by quantum 
mechanics. Since a natural upper bound for the eavesdropper's information Iae is given by the Holevo information 
O-i Xae, the minimization of the Devetak- Winter rate [H, 3 Row '■= Iab — Xae on the class of collective attacks provide 
i 1 „ , a natural lower bound for the unconditionally-secure key-rate. 

In this paper we consider the cryptoanalysis of the BB84 and the six-state protocols. Such QKD schemes can be 
called symmetric since they are based on the symmetric exploitation of the eigenstates of conjugate bases (mutually 
unbiased bases). It is then intuitive to consider collective attacks whose action is symmetric on these eigenstates, 
resulting in uniform contractions within the Bloch sphere. Such symmetric collective attacks are in fact a trivial 
extension of the symmetric individual attacks defined by Gisin et al. [&]. The naive result of this paper is that, for 
symmetric QKD schemes like the BB84 and six-state protocols, the minimization of the Devetak- Winter rates can be 
restricted to the class of symmetric collective attacks. In fact, it is very easy to find simple examples of symmetric 
collective attacks whose Devetak- Winter rates correspond exactly to the unconditionally-secure key-rates of these 
\ symmetric protocols. 
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In the BB84 protocol [f|, two honest users (Alice and Bob) randomly choose between two conjugate bases, i.e., 
the Z-basis {|0) , |1)} (the eigenstates of the Pauli operator Z) and the X-basis {|+) , |— )} (the eigenstates |±) = 
2~ 1,/2 (|0) ± |1)) of the Pauli operator X). Alice encodes a logical bit into her basis a a = Z \J X according to the 
mapping = |0) V |+) and 1 = 1 1) V |— ). The signal state \u) with u = {0, 1, +, — } is then sent to Bob through the 
noisy channel £, who will project the output state pb(u) := £ (\u) (u\) onto his basis erg = Z V X in order to decode 
Alice's logical bit. At the end of the quantum communication, Alice and Bob publicly agree a random permutation 
of their binary data (called the raw key). Then, they disclose all their bases (basis reconciliation) and keep only 
the compatible data, forming the so-called sifted key. Such a key is still affected by errors due to the noise of the 
channel and the corresponding error rate is called QBER (for quantum bit error rate). The QBER is computed during 
the subsequent error estimation, where the honest users publicly compare a (small) random subset of the sifted key. 
From the knowledge of the QBER, the honest users can bound the amount of information potentially stolen by an 
eavesdropper (Eve). In particular, if the QBER is below a certain security threshold, then Alice and Bob can apply 
procedures of error correction and privacy amplification in order to derive a final secret and error-free binary key. 

In a collective attack, Eve probes each signal qubit using a fresh ancilla, which is then stored in a cell of a quantum 
memory coherently measured at the end of the protocol. In particular, such a coherent measurement is also optimized 
on every classical communication used by Alice and Bob during the protocol like, e.g., the basis reconciliation. As 
a consequence, Eve has an a posteriori knowledge of the basis (Z or X) which was used for each signal qubit. On 
the one hand, Eve can exploit this knowledge in the final detection Q, on the other hand, she cannot exploit it for a 
conditional optimization of the signal- ancilla interactions (which, of course, have been already occurred). Since the 
usage of the two conjugate bases is perfectly symmetric in the BB84 protocol, the optimal eavesdropping strategy 
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should consist in signal-ancilla interactions which are symmetric in the eigenstates of these conjugate bases. 

Let us explicitly construct this kind of symmetric interaction. According to the Stinespring dilation theorem Q , the 
quantum channel £ acting on the signal qubit can be represented by a unitary interaction U coupling the signal qubit 
with two ancillary qubits initially prepared in the vacuum state (such a representation is also minimal and unique 
up to partial isometries). Then, for every input u = {0,1,+,—}, we can write the following signal-ancilla unitary 
interaction 

U (|it) ® |0, 0)) = |u) \F V ) + \u@\) \D U ) , (1) 

where u® 1 = {1, 0, — , +} and the output ancillas (F and D's) are generally not orthogonal neither normalized. Now, 
the condition of symmetry in the four eigenstates \u) reduces the number of possible unitaries U. In particular, by 
imposing the conditions 

(F u \F U ) = F , (A, \D U ) = D := 1 - F , (F u \D U ) = , (2) 

one makes U symmetric and Eq. (fT]) a Schmidt form. The Stinespring dilation of Eq. |T]) under the conditions of Eq. @ 
defines the notion of symmetric attack, which is then individual or collective depending on the kind of measurement 
performed by Eve on her quantum memory. The corresponding action on the Alice-Bob channel is given by the map 

£ : \u) (u\ -» p B {u) = F \u) (u\ + D \u ffi 1) {u 8 1| , (3) 

describing a uniform contraction by F — D of the signal states, which is here equivalent to the contraction of the 
equator of the Bloch sphere From Eq. ^ it is clear that parameter F represents the fidelity while D is the 
QBER. As a consequence, Alice and Bob's mutual information is simply given by Iab = 1 — H(D) where H(p) = 
— plog 2 p— (1 — p)log 2 (l — p) is the Shannon entropy. 

Let us now consider the output state pe{u) which is received by Eve in the complementary Alice-Eve channel 
£ : \u) (u\ —>■ pe{u). This is equal to 

Pe{u) = \F U ) (F u \ + \D U ) (D u \ = F \f u ) (f u \ + D \d u ) (d u \ , (4) 

where the normalized states |/„) := F^ 1 / 2 \F U ) and \d u ) := D~ x / 2 \D U ) have been introduced. In case of collective 
attack, this output state is subject to an optimal coherent measurement involving all the cells of the quantum memory. 
Since Eve has the a posteriori knowledge of the basis, her coherent measurement has to discriminate between the two 
states of the quantum ensemble 

r p*(«) , *(«) = s ^ 

Q = < => pE ■= 7, ■ (5) 

[ p E (u®l) ,p(«el) = j 

It is known that the maximal amount of classical information (accessible information) that Eve can steal from this 
ensemble is upper-bounded by the Holevo information 

S[p E {u)] + S[p E (u® 1)] 
Xae ■= S(pe) , (6) 

where S(p) := — Tr (plog 2 p) is the Von Neumann entropy. As a consequence, the secret-key rate is lower bounded by 
the Devetak- Winter rate [4[ 

Rdw ■= Iab - Xae ■ (7) 

Since (/„ \d u ) = (F u \D U ) = in Eq. (01, we have that S[pe(u)) — S[pe(u(B1)] — H(D). By exploiting this expression 
and Iab = 1 — H(D), the Devetak- Winter rate for a symmetric collective attack simply becomes 

Rdw — 1 — S(pe) , (8) 

where only S(pe) remains to be computed. 

Following Gisin et al. [5j , let us simplify the structure of the symmetric attack by imposing the additional conditions 

(F u \F uel ) = Fcosx , (D u \D um ) = Dcosy , (F u \D U(B1 ) =0 , (9) 

with x and y real numbers. Such conditions imply 

D= 1 ' C0S M X :=D(x,y), (10) 
2 — cos x + cos y 



3 



so that U is not only symmetric but also completely determined by two angles x and y. In particular, we can realize 
all the conditions in Eqs. @ and © by choosing in Eq. JT]) the ancilla states [5] 
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Let us denote by S(x,y) the symmetric collective attack specified by the interaction of Eq. Then, it is easy to 

prove that the attack S(x,x) has a Devetak- Winter rate equal to 



R DW = 1 - 2H(D) 



(12) 



which corresponds exactly to the unconditionally-secure key-rate of the BB84 protocol 0] (with unconditional security 
threshold D ~ 11% as given by 1 - 2H(D) = 0). 

Proof of Eq. (II 2 [) . In order to prove the rate of Eq. (TT2"]) we have to compute the entropy S(pe) in Eq. ([5]) by 
exploiting the properties of the attack S(x, x), which are simply given by conditions of Eqs. ([2]) and ([9]) with x = y. 
By introducing the states 



PF ■= - (/u| + |/uffil) (/uffill) ) := - (K) (du| + Kffil) (du©l |) , 



(13) 



we can recast the average state pe of Eq. (JSJ) in the form pe = FpE + Dpo, so that it can be equivalently seen as the 
average state of the quantum ensemble 
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p F , P (F) = F 
PD , p(D) = D 



(14) 



From Eqs. ([2|) and 



we easily derive that pf and po are orthogonal, i.e., Tt(pfPd) — 0. As a consequence, we have 
X(Q) ■= S(p E ) ~ [FS(pf) + DS(p D )} = H{D) . (15) 



In order to extract S(pe) from Eq. (|15[) . we have to compute the two entropies S(pf) and S{po)- For computing 
S(pf) let us introduce the orthonormal set {\f u ) , \fu)}> where \ fu) is an arbitrary vector defined by (/„ 1/^ = 
and (/^- |/^) = 1. By using Eq. ([9]), we can always decompose |/ u ©i) = cos a; \f u ) + e'^sina; |/^-) with ip arbitrary 
phase, so that 
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By means of a suitable unitary we then get 

UppU^ = A |$_) ($_| + (1 - A) |$ + ) ($ 
where 

l-lcoszl , e-^(l + cos2a;±2|cosa;|)(csc2a;)|/ ll ) + |/^) 



X(x) 
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(16) 
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(18) 



andTV-2 = l + (l + cos2a;± 2 |cosa;|) 2 (csc2x) 2 . Since ($+ |$_) = 0, we simply achieve 5 (p F ) = S(Up F U 1 ) = H[X(x)]. 
In order to compute the other entropy S(pd), we just introduce an analogous orthonormal set {\d u ) , which 
leads to the corresponding result S(po) — H[X(y)]. 

Now, by setting x = y, we clearly have S(pf) — S(pd) = H[X(x)]. Then, we also have A(x) = D(x,x) for 
— 7r/2 < x < ir/2 and X(x) = 1 — D(x,x) for 7r/2 < a; < 37r/2, so that we can always write S(pf) = S(pd) — H{D). 
By replacing the latter result in Eq. (|T5l) we finally get S(pe) = 2H{D) which leads to the rate of Eq. (fT2|) . ■ 
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III. THE SIX-STATE PROTOCOL AND ITS SYMMETRIC EAVESDROPPING 



In the BB84 protocol the signal states represent the four equidistant poles lying on the equator of the Bloch 
sphere. In order to enhance the security, one can then think to saturate the sphere by including the exploitation of 
the remaining two poles. This is done in the six-state protocol [l(| where also the basis {\R) , \L)} := 2~ 1 / 2 {|0) + 
i |1) , |0) — i |1)} of the third Pauli operator Y = iXZ is exploited in both Alice's random encoding and Bob's random 
decoding. The six-state protocol is then formulated like the BB84 protocol except that now we have three bases 
{Z,X,Y} and, therefore, six possible signal states {\u) ; u = 0, 1, +, — , i?, L} encoding a logical qubit according to 
the mapping = |0) V |+) V \R) and 1 = |1) V |-) V \L). 

Since the six-state protocol is a symmetric extension of the BB84 to the third Pauli operator, we consider the same 
extension for the symmetric attacks. This means that an arbitrary symmetric attack against the six-state protocol 
is defined by Eqs. {T]) and ((2]) where now u — {0, 1, +, — , R, L}. The corresponding channel is again described by 
Eq. ([3]) which now corresponds to a uniform contraction by F — D of all the Bloch sphere. It is trivial to check that a 
symmetric collective attack against the six-state protocol is characterized by the same Devetak- Winter rate of Eq. ([8]), 
exactly as before [Til ] . 

Let us construct a simple example for the explicit computation of this rate. We can simplify the structure of the 
attack by imposing the conditions of Eq. © for all the bases, i.e., for u = {0, 1, +, — , R, L}. All these conditions 
imply now Eq. (TO)) together with 1 + F cos x — D cos y — 2F, which are simultaneously satisfied if and only if y — ir/2. 
As a consequence, we have 



1 - cos x 

D = - := D(x) , 

2 — cos x 



(19) 



and the unitary interaction U is completely determined by a single angle x. In particular, we can realize all the 
previous conditions by choosing the ancillas of Eq. (fl~Tj) with y = it/2, i.e., 
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where also \Dq) and \D\) are orthogonal. Let us denote by S(x) the symmetric collective attack specified by the 
interaction of Eq. (|20[) . Then, it is easy to prove that S(x) has a Devetak- Winter rate equal to 



3D D ( 3D\. / 3D 
Rdw = 1 + — log 2 — + I 1 - — I log 2 I 1 - — 



(21) 



which corresponds exactly to the unconditionally-secure key-rate of the six-state protocol |12| (with unconditional 
security threshold D ~ 12.6%). 



Proof of Eq. ([211) . In order to get the result we have to compute S(pe) for the simple attack S(x). Eve's output 
state pe{u) has the same form of Eq. (TJ|. Thus, the average state pe can be again recasted in terms of the states 
pn and pf of Eq. (|13p . in such a way to represent the same quantum ensemble Q of Eq. (|14p . As a consequence, the 
entropy S{pe) can be again extracted from of Eq. (|15|) . where the computation of S(pf) and S(pd) is now different 
since we have y = ir/2 and not x = y as before. The computation of S(po) is very easy thanks to the orthogonality 
which now exists between the D's states. Since (d u |d u ©i) = (D u \D u ®i) = 0, we have in fact S(po) — H(l/2) = 1. 
The computation of S(pf) is the same as before except that now the eigenvalue X(x) of Eq. (fT8|) is differently connected 
to the QBER D(x) of Eq. (19]). It is easy to check that \(x) = [1 - D(x)}^ 1 D(x)/2 for -ir/2 < x < tt/2 and X(x) = 
1 - {[1 - D(x)}^ 1 D(x)/2} for tt/2 < x < 3vr/2, so that we can always write S(p F ) = H(X) = H [(1 - D)~ 1 D/2] . 
By inserting the latter result and S(p D ) = 1 into Eq. (15]), one gets S(p E ) =D + H(D) + (1 - D)H [(1 - D)- 1 D/2] 
and, therefore, the Devetak- Winter rate 



R DW = (1 - D) \l - H 



D 



2(1 -D) 



- H(D) , 



(22) 



which is equivalent to the result of Eq. (|2"T]) . ■ 
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IV. CONCLUSION 

In conclusion, we have considered very simple collective attacks against the BB84 and six-state protocols, which 
are constructed by trivially extending the individual symmetric attacks of Gisin et al. 5] . Such symmetric collective 
attacks have been proven to be sufficiently strong in order to minimize the Devetak- Winter rates of these protocols. 
In fact, it has been shown how to construct simple examples able to reach their unconditionally-secure key-rates. Our 
results can be useful in the cryptoanalysis of other QKD protocols which are based on the symmetric exploitation of 
the vertices of regular polygons or polyhedrons embedded in the Bloch sphere. 
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